[Koha] CSRF tokens are not getting validated
Jonathan Druart
jonathan.druart at bugs.koha-community.org
Wed Jan 29 01:55:15 NZDT 2025
Are you using Plack?
Le mar. 28 janv. 2025 à 13:33, <koha at ourlib.in> a écrit :
>
> Hello,
> sorry to bother you again. Security team has raised following concern,
> please guide me in fixing the same:
> ===============
> In Koha version 24.05, CSRF tokens are not getting validated during
> insert or update operations (e.g., creating a new patron). Even when the
> CSRF token is removed or invalid, Koha still processes the request and
> creates the new patron.
>
> Koha Version: 24.05
> Steps to Reproduce:
>
> Navigate to the patron creation form in Koha.
> Remove the CSRF token from the input and meta tags.
> Submit the form to create a new patron.
> The new patron is created successfully, despite the missing or
> invalid CSRF token.
>
>
> Koha v24.05 does not validate CSRF tokens correctly, potentially
> exposing the system to CSRF attacks.
> =================
>
> Regards,
> Vikram
>
> _______________________________________________
>
> Koha mailing list http://koha-community.org
> Koha at lists.katipo.co.nz
> Unsubscribe: https://lists.katipo.co.nz/mailman/listinfo/koha
More information about the Koha
mailing list